| skipped 10 lines |
| 11 | 11 | | * Encrypts the contents of the tunnel and authenticates the server by |
| 12 | 12 | | public key. |
| 13 | 13 | | |
| 14 | | - | It has these noteworthy limitations: |
| 15 | | - | * Requires intermediary resolvers to support large responses (1232 bytes, |
| 16 | | - | which is more than the mandated minimum of 512 bytes). |
| 17 | | - | |
| 18 | 14 | | dnstt is an application-layer tunnel that runs in userspace. It doesn't |
| 19 | 15 | | provide a TUN/TAP interface; it only hooks up a local TCP port with a |
| 20 | 16 | | remote TCP port (like netcat or `ssh -L`) by way of a DNS resolver. It |
| skipped 2 lines |
| 23 | 19 | | tunnel terminate at the proxy. |
| 24 | 20 | | |
| 25 | 21 | | ``` |
| 26 | | - | .------. .--------. .------. |
| 27 | | - | |tunnel|-- DoH / DoT --|resolver|-- UDP DNS --|tunnel| |
| 28 | | - | |client| '--------' |server| |
| 29 | | - | '------' '------' |
| | 22 | + | .------. | .---------. .------. |
| | 23 | + | |tunnel| | | public | |tunnel| |
| | 24 | + | |client|<---DoH/DoT--->|recursive|<--UDP DNS-->|server| |
| | 25 | + | '------' |c |resolver | '------' |
| | 26 | + | | |e '---------' | |
| | 27 | + | .------. |n .------. |
| | 28 | + | |local | |s |remote| |
| | 29 | + | | app | |o | app | |
| | 30 | + | '------' |r '------' |
| 30 | 31 | | ``` |
| 31 | 32 | | |
| 32 | 33 | | |
| skipped 50 lines |
| 83 | 84 | | port 53. You can have it listen on port 53 directly using `-udp :53`, |
| 84 | 85 | | but that requires the program to run as root. It is better to run the |
| 85 | 86 | | program as an ordinary user and have it listen on an unprivileged port |
| 86 | | - | (`:5300` above), and port-forward port 53 to it. On Linux, use this |
| 87 | | - | command to forward external port 53 to localhost port 5300: |
| | 87 | + | (`:5300` above), and port-forward port 53 to it. On Linux, use these |
| | 88 | + | commands to forward external port 53 to localhost port 5300: |
| 88 | 89 | | ``` |
| 89 | 90 | | # iptables -I INPUT -p udp --dport 5300 -j ACCEPT |
| 90 | 91 | | # iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 5300 |
| skipped 58 lines |
| 149 | 150 | | |
| 150 | 151 | | You can make the tunnel into a general-purpose proxy by running a proxy |
| 151 | 152 | | server and connecting the server end of the tunnel to it. For example, |
| 152 | | - | Ncat has a built-in simple HTTP server: |
| | 153 | + | Ncat has a built-in simple HTTP/HTTPS proxy: |
| 153 | 154 | | ``` |
| 154 | 155 | | $ ncat -lkv --proxy-type http 127.0.0.1 8000 |
| 155 | 156 | | $ ./dnstt-server -udp :5300 -privkey-file server.key t.example.com 127.0.0.1:8000 |
| skipped 53 lines |
| 209 | 210 | | The Noise layer is sandwiched between two other protocol layers: KCP |
| 210 | 211 | | (https://github.com/xtaci/kcp-go) which creates a reliable stream on top |
| 211 | 212 | | of unreliable datagrams, and smux (https://github.com/xtaci/smux) which |
| 212 | | - | provides stream multiplexing and session features. An observer (such as |
| 213 | | - | the intermediary resolver) may read the headers of the KCP layer, but not |
| 214 | | - | of the smux layer nor of the streams that are inside. The model is |
| 215 | | - | similar to what you would get with TLS or SSH over TCP: an observer can |
| 216 | | - | see TCP-level ACKs and sequence numbers, but cannot read the stream data |
| 217 | | - | inside. |
| | 213 | + | provides stream multiplexing and session features. An observer who can |
| | 214 | + | see DNS messages, such as the intermediary resolver, will be able to see |
| | 215 | + | the headers of the KCP layer, but not of the smux layer nor of the |
| | 216 | + | streams that are inside. The model is similar to what you would get with |
| | 217 | + | TLS or SSH over TCP: an observer can see TCP-level ACKs and sequence |
| | 218 | + | numbers, but cannot read the stream data. |
| 218 | 219 | | |
| 219 | 220 | | ``` |
| 220 | 221 | | application data |
| skipped 38 lines |
| 259 | 260 | | size as possible, but not larger than what is supported by the resolver |
| 260 | 261 | | you are using. Values above 1452 may cause IP fragmentation which can |
| 261 | 262 | | reduce performance. You can control the maximum UDP payload size with |
| 262 | | - | the `-mtu` option. The default is 1232 bytes; this ought to be supported |
| 263 | | - | by most resolvers that understand EDNS(0) (RFC 6891). For maximum |
| 264 | | - | compatibility, set the maximum to 512, but know that doing so will |
| 265 | | - | reduce downstream bandwidth. |
| | 263 | + | the `-mtu` option on the server. The default is 1232 bytes; this ought |
| | 264 | + | to be supported by most resolvers that understand EDNS(0) (RFC 6891). |
| | 265 | + | For maximum compatibility, set the maximum to 512, but know that doing |
| | 266 | + | so will reduce downstream bandwidth. |
| 266 | 267 | | ``` |
| 267 | | - | $ ./dnstt-client -mtu 512 -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
| | 268 | + | $ ./dnstt-server -mtu 512 -doh https://doh.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000 |
| 268 | 269 | | ``` |
| 269 | 270 | | |
| 270 | 271 | | The client and server emit an "effective MTU" log line when starting up |
| skipped 6 lines |
David Fifield
committed
4 years ago
1 parent 3254c1c8